In this day and age, almost anyone can invade your computer system and steal your data. This makes it all the more essential to ensure that beyond your perimeter network security barrier, you have a line of defense inside your system. That line of defense is encryption. Storing data unencrypted on your hard drive isn’t a mortal sin, but it could come back to bite you some day, so today we’re going to discuss that last line of digital defense.

There are two cryptodrive systems which have the biggest market share today: TrueCrypt and PGPDisk. Each has a number of advantages and disadvantages, but both share the quality of keeping your data secret from prying eyes (except when the drive is mounted). Whether you’re just storing your family photos or your customers’ credit card data, using this highly advanced technology is a must in today’s world.

I think TrueCrypt has 6 advantages over PGPDisk: 1) It’s open-source. 2) It’s free. 3) It’s cross-platform. 4) It can contain two volumes, accessed by different passphrases (or keyfiles), or you can have it only contain one “visible” volume. Anyone analyzing the bits of the unmounted drive/file cannot tell if there are one or two volumes, so 4) there is plausible deniability of the hidden volume (which TrueCrypt stores at the end of the big cryptofile.) 5) You can choose from a bunch of encryption and hash algorithms to suit your personal preferences. 6) There are absolutely positively no back-doors built-in (see #1: open-source). On top of all that, installation and use is mind-numbingly simple, especially on Windows machines. It’s hard to deny that TrueCrypt is an amazing technology.

For added security, you could even store PGP-encrypted files INSIDE of your TrueCrypt drive(s), and keep no plain-text files in there. Your mileage and paranoia may vary, but that sort of dual-encryption scheme will eliminate the problem where a mounted encrypted drive can be accessed just like a normal drive. Just because you want 1 file in the encrypted drive doesn’t mean an attacker should be able to get to all the files in there.

PGPDisk is no slacker either though… Even though it isn’t free and it isn’t open-source, its very fast and builds itself into the Windows shell quite seamlessly. It has great options. You can have it mount your encrypted drives at startup if you want, and auto-unmount automatically after however many minutes or at system standby. It can use any number of your existing PGP keys to access the database, so the drive could be accessed by 20 people if you want, and/or you could just use a passphrase not associated with a PGP key. This is possible because the PGP keys and/or passphrase unlock the master-key, and that master-key actually encrypts and decrypts the disk. So when you type in your PGP passphrase you are actually unlocking another master-key that does the dirty work. PGPDisk is for Windows only, so that is definitely one thing to keep in mind when picking which solution you want to go with. Also, it can’t be proven if PGPDisk has a backdoor or not, since it is closed-source, but crypto experts agree it is safe.

Also, it is best to keep your encrypted drive/file on a (1 gigabyte?) USB flash drive, and keep a backup of it on a CD or DVD. When creating your encrypted drive, 640mb is a good size to select since then you can back it up to a CDROM easily and you won’t have to worry about splitting the file onto 2 CDs.

One of the best reasons to use TrueCrypt is it’s cross-platform capability. You could be running a Microsoft Windows machine, and have Ubuntu running in a VMWare image, and both your VMWare and your real machine would be able to get to the data.

Also, on a bit of a side-note, if you’re using Windows it is a really good idea to do all of your web-surfing in the VM image instead of in Windows itself. Then, if you’re surfing along the net with Firefox in the Ubuntu VM image, and you get hit by a zero-day browser exploit, the effects stay trapped in the VM image. Then, since your real data is in the encrypted drive, and your real system is unaffected, its just a matter of getting a fresh VM image and you’re good to go again.

Information security doesn’t stop at the network perimeter, it stops at the bits of juicy data that the attacker wants to steal. Use encryption, use VM images – they are your friend. The digital future is shaping up to be a very hostile place for novices, so educate yourself and your friends now to avoid getting stung later.

Say what?? Some special characters are better than others for passwords.

When an attacker gets a password hash, they need to pick which charset to use to crack it. Some people say there are only 4 categories: lower alpha, upper alpha, numbers, and special characters. However brute-force password crackers like Cain, and more advanced cracking tools like rainbowtables, distinguish between types of special characters. They ask if you’d only like to include the weaker special characters which are more commonly used: !@#$%^&*()-_+=

…or would you like to include the far less likely to be chosen set of extended special characters? ~’>{[\|/.:”;,]}<`? Since cracking tools distinguish between these sets, you should too, and you should use characters from all 5 groupings. Even a password like Abc123 is more secure as "A,b,c,1.2.3?" - and how much harder is that to remember? It's easier than you think to bulletproof your password against advanced cracking technologies. You could surround your password in "quotes", or with [square brackets]. You could make it something easily memorable like {$19.95!}Ca||-n0\/\/ or "C:\WinNT\$Y5T3M\" or `Ta~0!!' The possibilities are, of course, endless. But the key is to use all 5 sets. Set 1: ABCDEFGHIJKLMNOPQRSTUVWXYZ Set 2: abcdefghijklmnopqrstuvwxyz Set 3: 0123456789 Set 4: !@#$%^&*()-_+= Set 5: ~'>{[\|/.:”;,]}<`? To further throw attackers off the trail, you could refuse to use commonly used characters, such as !, 1, e, 3, E, o, O, 0, 5, S, s, and some others. Then every time a cracker tries a pw with those chars in it, they will fail every time, and you can take comfort in their wasted CPU cycles.

The BBC finally validated what security teams around the world have been saying for a couple of years – home user machine security counts too. In a recent test by the BBC news team, they used a honeypot to emulate a home user system with a high-speed connection. What they found is likely not surprising to security folks, but it is likely eye opening to the common user and management.

The BBC team set up the honeypot repeatedly over a 24 hour period. During that time, the PC was attacked 53 times from the Internet! The breakdown of the attacks they identified were as follows:

1 attempted buffer overflow
2 port scans
14 worm attacks
36 RPC-type attempts to Trojan the machine

This goes right along with the effects MSI has observed when we have done the same thing with our honeypots. These are real numbers, and in some cases, may even be low. Our common attacks from exposed honeypot systems often show higher levels of attack than this, and include hundreds of spam email probes, repeated worm assaults against web systems, scans for bad PHP and Horde Framework files and all sorts of other noise.

The reality is that attackers and automated assaults like Bots, Trojans and worms have made even the home user network neighborhoods dangerous places to hang out. Without the proper safeguards and security mechanisms, home user systems are in serious danger. Attackers will plunder them for identity data, leverage them to gain access to corporate environments and turn them into components of ever-increasing Bot-nets. Until home users begin to make better security decisions, vendors begin to integrate deeper security into their computing products and consumers begin to care about security in the way they spend their currency, it is very likely that home systems will remain little more than sitting ducks.

For the last several months, news has been coming from the various security vendors that attacker focus has shifted away from banks and other financial institutions to the credit unions. The attackers probably assume that credit unions are an easier target than the banks. In our experience this is simply not true. Though credit unions do have risks, they do not seem to be larger than banks and other financial organizations.

Primarily, credit unions face three key areas of risk by attackers today, in terms of information security. These risks are discussed below:

1) Network, application or database compromises – This is the most common form of attack when we think of information security in relation to computer data. The fears here are that an attacker could exploit a weakness in our computer systems, networks or applications and steal important member/customer data that they could use for fraud or identity theft. Common attacks include penetration of the Internet exposed network, application security issues like SQL injection or the introduction of malware/spyware into the the user’s systems to gain illicit access. To defend against these attacks credit unions should be performing ongoing security testing, using detection and prevention technologies like firewalls, IDS/IPS, honeypots, etc. They should also have strong security policies, hardy authentication, great anti-virus/malware tools and excellent patching mechanisms. These are the primary steps for protecting the electronic systems of a credit union against compromise.

2) Physical security compromises – These are the often forgotten security issues, but a breech of physical security is often among the most devastating of attacks. Items like unshredded member data, identify information, loan applications, checks or the like making their way into dumpsters is a common cause. Attackers using combinations of physical attacks and social engineering to install hardware devices on the network, gain access to sensitive areas or other forms of attack are also common. Credit unions are used to protecting themselves from outright robbery and theft, but the subtle methods of cyber-attackers leveraging the physical realm is often beyond their existing vision of security. The keys here are to have good processes for managing physical assets in the computing environment, having good employee awareness of security procedures and performing assessments to know where your weak points lie so that you can address them. Awareness is the primary tool here, as employee of the credit union must have good procedures and remain ever vigilant against breeches of these procedures and protocols. They must understand what data is confidential, and how it is to be handled, stored and discarded. Often, a risk assessment is an excellent tool for identifying issues around physical security and document handling. Credit unions would be wise to pursue a risk assessment as soon as possible, as it is has also recently become regulatory requirement.

3) Social engineering compromises – Social engineering attacks are probably the most common form of attack credit unions face. Social engineers often use trickery, deceit and trust to gain access to information that, at the time, may seem small or insignificant, but may lead to compromise on a wide scale. Social engineers may be overt, asking tellers for identify information or using phone calls to ask for passwords, or they may be subtle – like leaving CDs and USB keys in the parking lot that Trojan machines when used. No matter what form of social engineering the attacker chooses, the best defense is employee policies and awareness. Credit unions must make sure that each and every employee is aware of their security policies and the processes used to protect the environment from compromise. They must understand the risks, the current techniques in use by attackers and have a means of comfortably reporting suspicious behaviors. Only then will credit unions be well protected against social engineering.

Credit unions may be getting more scans against their firewalls and IDS/IPS systems now than banks, but the majority of credit unions are fairly well secured against Internet attacks thanks to the years of media attention and regulatory requirements. Obviously, some improvements could be made – but that is true for almost all organizations. Credit unions taking information security seriously should examine their current security posture, ensure that, at a minimum, they are performing the above tasks and then work toward identifying a means to improve. Attackers will follow money, and as such they will remain focused on credit unions, banks and other financial institutions for some time to come.

Overall, though, credit union members have no reason to feel that they are at increased risk just because they belong to a credit union. In our opinion, the risks to the average consumer show little difference between using a bank or a credit union. The average consumer risks far more by shopping using their credit cards or not using a shredder for their home trash than by choosing to do business with either financial institution, be it bank or credit union.

I just heard from a client, one Mr. BW, we shall call him, that he has a smart new use for HoneyPoint Security Server in his organization. In addition to using it as designed, to capture emerging internal threats, Mr. BW has found a way to make use of HoneyPoint’s emulated web server to catch and capture malware and spyware inside his organization!

He came up with the idea of using HPSS, in conjunction with the Bleeding Snort Rule Set for Malware. He extracted the appropriate black hole DNS records and placed them on his internal DNS server. But this simply black holed the systems, and broke the connections – but did not give him the information of what the malware was seeking, passing or otherwise communicating. Thus, he changed the black hole DNS entries to point to a HoneyPoint emulated web server!

Now, when known malware triggers a bad DNS entry, the malware is redirected to the HoneyPoint. This not only alerts Mr. BW to the presence of the malware and the location of the infected PC – but – it also gives him insight into exactly what the malware is doing, what information is being transmitted and how extensive the damage may be.

Mr. BW says this gives him a unique capability to communicate the overall risks of the malware and a new tool in helping to protect his organization.

Our thanks to Mr. BW for his feedback and insight! Congrats on the forward thinking and on the adaptation of the tool to your needs!

You check your email and receive a suspicious file and your antiviral scanner didn’t throw any flags so you wonder, is it safe to open? There are some things you can do when you get a possible virus that not only helps you, but the entire security community as well.

1. Surf to http://www.virustotal.com and upload the possible virus. VirusTotal then scans the file using numerous antivirus programs to determine which ones detect the file as a virus and which do not.

Now if none of them detect it as a virus, this doesn’t necessarily mean its safe to open, but at least you’ll know for sure if VirusTotal does detect it. Another site that offers a similar service is http://virusscan.jotti.org

2. Review the binary with your favorite “strings” type program, which grabs any text out of a binary for you to view. You might use strings from Unix/Linux or BinText for Windows, or even some editors. Be very careful not to execute the file, but examine it for strings. Keep on the look out for things like registry keys that execute commands, networking calls, URLS, etc. This isn’t 100% effective, since some information could be encoded or encrypted inside the binary code. Note that you might also need to use an unpacker on the binary to do this. Try this before hand with known good tools and get some practice with both unpackers and strings-type utilities.

3. Lastly, if both of the previous steps show nothing, you might also consider setting up a test machine or a virtual VM image and run the possible virus in that test environment, but this is not recommended for the faint of heart or techinically unsavvy. For the average user, uploading it to VirusTotal and then deleting it would be enough. Tools like wireshark that capture incoming and outgoing packets would provide valuable insight in an investigation of this sort. Some malware is smart and won’t immediately begin sending data as soon as it starts, but will delay its actions to fool investigators into thinking it is benign, so be aware.

4. For those of you who are more advanced with code and development, or those looking to become more advanced, you could also investigate the use of a debugger or other reverse engineering tools. If so, it is beyond the scope of this article, but check around the Net – there are many articles dedicated to these tools and techniques.

These are merely basic steps and ideas. Each step requires skills and additional practice that new users or less advanced users may not have. When in doubt, simply delete. If the file was sent to you by someone you know personally, play it safe and call them.

So, try these at your own risk. Your mileage and paranoia may vary…

They put an exploit in, they put a patch out, they put an exploit in and users turn themselves about… You get the idea (sorry, I know it’s bad)…

IE users (and Microsoft) are having a particularly bad couple of weeks. First the VML issue became critical and widespread, with all the associated user confusion of the work-arounds and such. Microsoft then releases an out-of-cycle patch, only to be one-upped by attackers who almost immediately release a reworking of a formerly DoS attack into yet another remote code execution bug in IE.

As with VML, this new “old” bug is likely to be widespread and adopted into various bot and browser vulnerability frameworks. Basically, continuing to make it even more unsafe for users to browse the web at large than before…Blah, Blah, Blah… Just as before, repeat – because apparently “that’s what it’s all about”.

😉

In the meantime, while we wait on patches for this latest IE exploit, do the usual. Try and educate users about safer browsing choices, reinforce the idea of enclave computing with your management team, harden your browsing environment as much as possible and make sure IDS/IPS signatures and AV/Spyware signatures are up to date.

Oh, and if you have time, learn the hokey pokey dance. It’s helpful at weddings and looks like it might be a good skill to have for the coming months!

The CEO of my company (MicroSolved, Inc.) recently returned from a trip to Aruba, in which he was forced to endure the ban on liquids and gels on airlines. While patiently complying with the wishes of the TSA inspectors, he began to wonder if the additional inconvenience was worth the minimal decrease in security risk that the average airline customer would experience. Upon his return, he did a little research about the current rates of injury or death when performing everyday tasks, such as flying, driving, swimming in your backyard pool, and walking in the rain.

While the research revealed some very interesting facts regarding the risk involved with performing these everyday tasks, it prompted me to ask a different question. Our CEO was interested in knowing if the inconvenience was worth the reduction in risk. I asked whether the inconvenience was worth it at all. Did it even work?

I immediately began to think about how we got to the point we currently find ourselves, in regards to Anti-Terrorism and Information Security. Can we find a way to tie Anti-Terrorism measures and Information Security measures together to get an idea of whether the Anti-Terrorism measures can ever be effective?

When thinking of Information Security, the first thing that comes to mind is one despicable word: Signatures. Nearly every school of thought that has been bought into by security professionals involves the use of signatures to detect an attack. Your Anti-Virus relies on signatures to identify malware. Your Intrusion Detection/Protection devices rely on signatures to identify attacks. Your spware/adware detection devices rely on…you guessed it…signatures.

Signatures have proven to be quite effective…AFTER THE INITIAL ATTACK. The problem is that someone or something would have to have already seen the attack, in order to create an accurate signature. This holds true with today’s current Anti-Terrorism strategy. Think about just about every strategy that has been put into place to identify (or protect you from) a terrorist attack. We don’t implement bans on “liquids” until AFTER someone has already seen that particular method. We don’t restrict the use of metal silverware on a plane until AFTER someone has used a butter knife to hijack a plane.

There is a portion of the Information Security community (me included) who believe that we have already lost the war against malicious attackers. Of that portion of the community, several of us firmly believe that we are at a crossroads in what Information Security is now and will be in the future. A couple of us believe that it is now time to recognize that the good guys have lost the war and it is now time to pull back and focus our efforts on securing the critical data and leaving the users to their own devices.

There is a term floating around out there that speaks directly to this school of thought: Enclave Computing. Whereby, we would attempt to begin to identify the critical information that needs to be protected. Once we have identified the critical information, we move it to a secluded part of the network , or “enclave”, and wrap controls around it that dictate who and what has access to the information. We give the user base everything that we can give them for protection, but we don’t care about what happens to their boxes. We don’t care if they get compromised, because no critical information is stored on the machine. If one of their machines gets compromised, it becomes a turn-and-burn situation. That machine gets imaged and is back in operation in less than an hour. The information, being secluded from the compromised host, remains secure.

Now, I’m not condoning the thought that the government needs to consider leaving the citizenry to their own devices. I, a former US Marine, am absolutely certain that the War on Terrorism is something we can and will win, not to mention that we HAVE to win it. What I am afraid of is that we don’t know HOW to win. If we keep following the path of relying on signatures to protect our citizens and their information, as the War of Information Security has shown, we will lose.

As a country and an industry, we need to get back to our roots. We need to rely on that ingenuity that Americans so proudly brag about. We need to find pre-emptive solutions to defending our country and her information. I don’t know what the answer is to waging the War on Terrorism. I do know that MSI is using that “American Ingenuity” right now to create solutions to help us defend our information. What forward thinking organization will be the one to break new ground in providing a realistic method of waging the War on Terrorism?

One final, albeit scary, thought that remains just as true for National Security as it does for Information Security is something that the President has been quoted when saying that our enemies “only have to be right once; we have to be right 100 percent of the time”

For several days we have been monitoring the explosion of the VML 0-day for Internet Explorer. It has become clear that this is a significant exploit.

Attackers began almost immediately to spread and improve the exploit once it was published. It was quickly included into several vulnerability and exploit tools. It took a suprisingly short amount of time for the incidents to begin to pop up around the Net.

The fact that Outlook is also vulnerable added to the fuel of the underground, as attackers with all kinds of motives began their assaults. They continue, even as I write this.

The exploit is ugly and dangerous. It has multiple attack vectors, including web and email, and attackers have refined the code until they now have the capability to do proper version checking and adapt the exploit to a variety of platforms.

Currently, some AV vendors have been less successful in defending against this problem than others. Many AV vendors are working hard to keep up with the ever changing set of binaries that the exploit examples download after the exploit runs. We all know this is admirable, but a losing battle. Truly resourceful attackers will grab code that is in no database, and even basic attackers will be able to modify existing tools to bypass the rudimentary checks many vendors are using.

In the meantime, the workaround is continuing to be used and refined as well. If you can get by without VML, unregister the DLL to protect yourself and your organization. Security teams should be making this decision quickly, as it may already be too late.

The last we heard, Microsoft is scheduled to release the official patch on Oct. 10. This means there is still plenty time for attackers to identify, target and exploit users around the world. The work around may be the best defense until the patch becomes available.

Stay tuned to your normal security intelligence sources for more information as it becomes available. Check out WatchDog if you are looking for such a source. It is available FREE from http://www.microsolved.com/watchdog

In many of the conversations I have been having lately with InfoSec managers, some of them seem to have forgotten some of the basics of our relationship with attackers. They seem to have forgotten some of the basic tenents of security and they certainly don’t seem to be aware of Murphy’s Law.

So, let’s review a couple of items – just for refresher.

The first item is that attackers control the pace, not defenders. They are in control of when attacks occur, where they occur and how serious they are. Now we, as defenders, have some capabilities here to try and make sure we have minimized the impact of these incidents – but we have NO CONTROL over the timing, pace or location. Those items belong to the attacker.

Second, attackers will focus on your weaknesses, not your strengths. That is simply what smart attackers do. If you build all of your defenses and post your armies of cyber soldiers to brace for a full frontal assault, it is likely that a smart attacker will flank you. This is elementary in warfare, and it is a real and vital part of InfoSec too. You have to allow for defenses that embrace your assets and not just protect the obvious issues. You have to be ready for defending the subtle assets and locations too. Gone are the days, if they ever really existed, of attackers impaling themselves on your firewall and IDS/IPS in mass. Today, attackers are more subtle, more evasive and target things deeper in your territory. Things like users, client-side vulnerabilities and remote access points are juicy targets for today’s attacker.

As for Murphy, InfoSec managers need to remember, attackers will exploit timing issues without concern. They will leverage the fact that you are down a headcount, that your entire staff is at a week of training, that your budget does not have room for the sudden purchase of a security tool to combat a new threat. Attacks will come at the worst possible moment, so you might as well plan for them. Got a merger coming up, or an important period of business in the run for the end of the year? If so, it would be wise to ensure you preserve some resources for possible incidents and attacks. Murphy says they are just likely to happen when you need them least.

Again, I know these seem pretty basic, but they are truths of security and defense. They are universal, uncaring and painful if you have to learn them the hard way. So, build them into your plans and be ready to explain them to other management. The more you study them up front, the less they can harm you down the road.